Is anyone successfully running OpenVPN with Active Directory integration? Are you using the openvpn.net or the openvpn.net/opensource version of OpenVPN? Any tips, tricks or gotchas or did it "just work?" (yes, I've seen this How To but sometimes how tos aren't as simple as they look for me).

Backstory:
I have a very old Cisco Concentrator (3000 series) that needs to be replaced. I'd like the replacement to be something that integrates with AD user/passwords. I have a stack of reasonably modern HP DL320 boxes laying around and that led me to the OpenVPN idea...

5 Answers
5

I prefer having OpenVPN auth against PAM (with LDAP, or Kerberos), since this is the most flexible solution. I've had the impression that the LDAP plugin provided by OpenVPN is sorta dirty ad-hoc solution -- nothing compared to the LDAP or Kerberos plug-ins for PAM. I've had problems from time to time where proper user credentials where refused access, a retry solved that problem. My current (production) setup authenticates against PAM. The PAM stack has Kerberos (pam_krb5) on top for OpenVPN authentication. Daily use by nearly 100 users. You can do a lot of stuff with PAM (multiple authentication mechanisms, multiple sources, etc. etc.).

we require AD authentication for our openvn installation(which group/OU integration) and found the easiest was using the radius plugin using windows internet authentication services (i.e. win2003 radius)

not that the auth-ldap doesn't work well, just the radius integration ended up being easier for us to get working (YMMV)

for what it's worth, discovered in hindsight: the commercial offering - openvpn-AS (or openvpn.net as you've referred to it) - works really well out of the box, for both radius and LDAP authentication, and the license fee is really low - works with concurrent connections rather than named users (at $250 for 50 concurrent connections with smaller bundles available). Also, the user take-on is well put together and makes new user and migration of existing clients relatively painless.

For some places "free and open source" is a requirement for deployment -- the non-profit where I work especially. Also, IMHO OpenVPN is very easy to implement.
–
scraft3613Jan 9 '10 at 16:02

While "free and open source" aren't hard requirements, the fact that I'd have to buy another OS license is definitely part of the reason I'm looking at OpenVPN.
–
Chris_KJan 9 '10 at 17:40

You already indicated that AD integration was part of the requirement. Therefore, license purchased. You can even do it with one NIC on your DC if you have to (not exactly recommended though.) I've seen well over 200 people logged in to a w2k3 server at my old office with nary a complaint.
–
Dayton BrownJan 10 '10 at 2:35

While this debate is fun, it certainly isn't in the spirit of the question I asked: Have you run OpenVPN with AD integration? If not, we're done right? Thanks for the alternatives.
–
Chris_KJan 10 '10 at 23:07

1

Also, the OP my not want to run his VPN on his DC, there are many reasons for that, particularly for security, so if he wanted to run an RRAS VPN, he would need another OS licence.
–
SamJan 11 '10 at 10:57